Functions/Accounts/Get-PASAccountPassword.ps1
function Get-PASAccountPassword { <# .SYNOPSIS Returns password for an account. .DESCRIPTION Returns password for an account identified by its AccountID. If using version 9.7+ of the API: - Will not return SSH Keys. - Cannot be used if a reason for password access must be specified. If using version 10.1+ of the API: - Will return SSH key of an existing account - Can be used if a reason and/or ticket ID must be specified. .PARAMETER AccountID The ID of the account whose password will be retrieved. .PARAMETER UseClassicAPI Specify the UseClassicAPI to force usage the Classic (v9) API endpoint. .PARAMETER Reason The reason that is required to be specified to retrieve the password/SSH key. Use of parameter requires version 10.1 at a minimum. .PARAMETER TicketingSystem The name of the Ticketing System. Use of parameter requires version 10.1 at a minimum. .PARAMETER TicketId The ticket ID of the ticketing system. Use of parameter requires version 10.1 at a minimum. .PARAMETER Version The version number of the required password. If there are no previous versions, the current password/key version is returned. Use of parameter requires version 10.1 at a minimum. .PARAMETER ActionType The action this password will be used for. Use of parameter requires version 10.1 at a minimum. .PARAMETER isUse Internal parameter (for PSMP only). Use of parameter requires version 10.1 at a minimum. .PARAMETER Machine The address of the remote machine to connect to. Use of parameter requires version 10.1 at a minimum. .EXAMPLE Get-PASAccount -Keywords root -Safe Prod_Safe | Get-PASAccountPassword Will return the password value of the account found by Get-PASAccount: Password -------- Ra^D0MwM666*&U .EXAMPLE Get-PASAccount -Keywords root -Safe Prod_Safe | Get-PASAccountPassword -UseClassicAPI Will retrieve the password value of the account found by Get-PASAccount using the classic (v9) API: Password -------- Ra^D0MwM666*&U .EXAMPLE Get-PASAccount -Keywords root -Safe Prod_Safe | Get-PASAccountPassword -Reason "Incident Investigation" Will retrieve the password value of the account found by Get-PASAccount using the v10 API, and specify a reason for access. Password -------- Ra^D0MwM666*&U .INPUTS All parameters can be piped by property name Accepts pipeline input from other Get-PASAccount .OUTPUTS Outputs Object of Custom Type psPAS.CyberArk.Vault.Credential Output format is defined via psPAS.Format.ps1xml. To force all output to be shown, pipe to Select-Object * .NOTES Minimum API version is 9.7 for password retrieval only. From version 10.1 onwards both passwords and ssh keys can be retrieved. .LINK https://pspas.pspete.dev/commands/Get-PASAccountPassword #> [CmdletBinding(DefaultParameterSetName = "v10")] param( [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = "ClassicAPI" )] [parameter( Mandatory = $true, ValueFromPipelinebyPropertyName = $true, ParameterSetName = "v10" )] [Alias("id")] [string]$AccountID, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $false, ParameterSetName = "ClassicAPI" )] [switch]$UseClassicAPI, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $false, ParameterSetName = "v10" )] [string]$Reason, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $false, ParameterSetName = "v10" )] [string]$TicketingSystem, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $false, ParameterSetName = "v10" )] [string]$TicketId, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $false, ParameterSetName = "v10" )] [int]$Version, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $false, ParameterSetName = "v10" )] [ValidateSet("show", "copy", "connect")] [string]$ActionType, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $false, ParameterSetName = "v10" )] [boolean]$isUse, [parameter( Mandatory = $false, ValueFromPipelinebyPropertyName = $false, ParameterSetName = "v10" )] [switch]$Machine ) BEGIN { $MinimumVersion = [System.Version]"10.1" }#begin PROCESS { #Build Request if ($($PSCmdlet.ParameterSetName) -eq "v10") { Assert-VersionRequirement -ExternalVersion $Script:ExternalVersion -RequiredVersion $MinimumVersion #For Version 10.1+ $Request = @{ "URI" = "$Script:BaseURI/api/Accounts/$($AccountID | Get-EscapedString)/Password/Retrieve" "Method" = "POST" #Get all parameters that will be sent in the request "Body" = $PSBoundParameters | Get-PASParameter -ParametersToRemove AccountID | ConvertTo-Json } } ElseIf ($($PSCmdlet.ParameterSetName) -eq "ClassicAPI") { #For Version 9.7+ $Request = @{ "URI" = "$Script:BaseURI/WebServices/PIMServices.svc/Accounts/$($AccountID | Get-EscapedString)/Credentials" "Method" = "GET" } } #Add default Request parameters $Request.Add("WebSession", $Script:WebSession) #splat request to web service $result = Invoke-PASRestMethod @Request If ($result) { If ($PSCmdlet.ParameterSetName -eq "ClassicAPI") { $result = [System.Text.Encoding]::ASCII.GetString([PSCustomObject]$result.Content) } elseif ($PSCmdlet.ParameterSetName -eq "v10") { #Unescape returned string and remove enclosing quotes. $result = $([System.Text.RegularExpressions.Regex]::Unescape($result) -replace '^"|"$', '') } [PSCustomObject] @{"Password" = $result } | Add-ObjectDetail -typename psPAS.CyberArk.Vault.Credential } }#process END { }#end } |